Designing and implementing an Identity and Access Management (IAM) program is a monumental task. Realistically, most organizations have some semblance of an IAM infrastructure already in place. In some ways, trying to restructure an existing environment is more difficult than starting from scratch, particularly if it's been around for a while. At North Carolina State University, we found that the technical issues are not the only challenges to success.
Much of N.C. State's existing IAM infrastructure was originally developed and built by the university's College of Engineering in the late 1980s. What was first known as "Eos" was built with technologies developed in Project Athena at MIT and Project Andrew at Carnegie Mellon University. It included Kerberos for authentication; Hesiod for name, groups and directory services; Zephyr for instant messaging; and the Andrews File System.
In the early 1990s the environment was adopted campuswide by the central academic computing organization and became known as Unity (or Eos/Unity). Since that time, additional authentication environments and directory services have been tied to the original configuration.
The most pressing IAM challenges for us are to simplify the authentication and authorization infrastructure, establish policies and procedures around identity-proofing students, define attribute release policies for federated access, and look at centralized group management for access to applications and resources.
Some of the same obstacles may apply regardless of the nature of your organization. With that in mind, here are five best practices for implementing IAM:
·Involve distributed and central units in the governance structure. The final structure of any complete IAM solution will require input and buy-in from a large, distributed set of stakeholders, so it is critical that they be included from the beginning to help define the requirements and make sure their needs and concerns are addressed.
We included IT directors as well as core units such as human resources, finance, student affairs and library services. We needed to be sure the committees and task forces understood the goals and had leadership in place to ensure they didn't get sidetracked.
Some team members were initially critical of the project and unsure of its ability to succeed. By presenting an overview of IAM and laying out a roadmap for implementation, we made sure everyone was on the same page and understood the benefits up front. By showing where IAM touches their processes, the stakeholders were able to see how implementing a comprehensive IAM plan could resolve (or at least improve) many of their biggest operational headaches, such as legal compliance and demand for data extracts across campus.
·Treat distributed and central IT organizations as a single entity. During the past few years, we have combined our administrative and academic computing groups into a centralized organization, now known as the university's Office of Information Technology (OIT).
Collaboration within our new OIT organization has had its challenges simply because things were done differently on the academic and administrative sides of the house. When outside campus IT organizations are teamed with central IT, some individuals may adopt an us-versus-them approach. Breaking down the perceived barriers between central and distributed organizations requires a concerted effort to build trust.
Distributed groups are generally smaller and can act more nimbly than a central enterprise group. Take advantage of this and partner to bridge the flexibility into the collaborative effort. Also, don't underestimate the technical talent outside central IT. The flexibility of smaller IT groups to test and implement new technology can be a helpful resource to larger central organizations that frequently have their budgets and staffs tied up in large projects.
·Pick some easy wins. Building respect and trust for a central organization requires demonstrating the capability to achieve success. A new organization may not have a history of strong support and robust services to rely on and will need to build partnerships across the institution.
We had more than 30 instances of Microsoft's Active Directory on campus, and needed to coordinate and consolidate these into a single campuswide environment. We also had recently established a Shibboleth Identity Provider (IdP) on campus to support our participation in the state university system identity federation. We chose these as key projects to begin our IAM initiative so we could produce successful collaborations that provided substantial benefit to a large number of stakeholders. We included members from both central IT and the colleges on each working group.
The Active Directory team looked at the existing implementations on campus (including those in the central IT group) and after much discussion picked the environment managed by one of the colleges as a starting point. For a campuswide solution, it was the best option as it had a larger client base and already supported a number of other colleges and departments. The Shibboleth-Federated IdP Working Group also continues to make significant progress on a number of projects involving access to both on-campus and external resources.
·Be transparent. Transparency builds trust and improves collaboration. Improved visibility of the planning and decision-making process and project progress results in fewer misunderstandings, reduced errors and smoother implementations.
Notify users and support staff as projects are implemented or changes in direction or timetables occur. Hold open forums, "lunch and learn" sessions and town meetings to keep users informed and allow them to ask questions. Central IT organizations are often insular and can be perceived as making decisions without consulting the proper stakeholders. By making the information and decision process open and shared, other units will understand the decision path and there will be less confusion.
We now hold open meetings, post the minutes on the web, share documents and presentations, and share costing documents and research. This helps others understand the solutions and how decisions are made.
Always keep the functional requirements as critical goals. As with any new technology, the benefit to the users must be clear. IAM implementations must not make it harder for users to do their work. It is important to remember that the job of IT is to provide services that support the mission, vision and goals of the organization.
Every project should provide value to the organization by helping improve its overall effectiveness and efficiency. IAM is a fundamental software infrastructure that will let all groups improve and automate more functions. Providing strong authentication and controlled access through well-planned attribute release will offer the flexibility to foster fine-grained authorization to applications, data and resources.
In creating an attribute release policy, we are involving the users, central units, data stewards and IT groups to be sure we meet all their needs.
·Highlight the benefits of IAM by describing real-life examples. Many of the benefits of integrated IAM are evident to most IT professionals. Those stakeholders and customers who do not have a technical background may need to be shown examples that highlight the benefits -- for instance, the need to properly identity-proof students who will have access to their grades or financial information.
Reducing the number of accounts or passwords people need to manage by implementing a simplified authentication environment is something most stakeholders can appreciate. Providing centralized, authoritative, up-to-date identity data about students and employees can eliminate many data extracts that currently need to be provided to colleges and departments.
These and many other examples of new features that simplify the relationship IT has with stakeholders can help users accept an IAM deployment.